On November 1, 2023, the New York Department of Financial Services (NY DFS) published its highly anticipated final amendments to its influential cybersecurity requirements for financial services companies (Part 500). These amendments significantly alter New York’s cybersecurity standards, with some changes effective and enforceable immediately. Importantly, the amendments alter the current regulatory regime to: (1) require greater senior officer and board responsibility for cybersecurity; (2) expand the incidents that are reportable within 72 hours; (3) enshrine and expand long-time regulatory expectations like multifactor authentication and encryption; and (4) revamp the annual certification process to allow either a certification of material compliance or written acknowledgment of material non-compliance, closing a bedeviling catch-22.

1. Applicability & Class A Companies

While NY DFS’s cybersecurity requirements for financial services companies continue to apply to all NY DFS-licensed persons, the amendments define a new class of covered entities that are subject to heightened requirements under the regulations. These Class A companies have at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates and have either: (1) over 2,000 employees averaged over the last two years, including employees of affiliates; or (2) over $1 billion in gross annual revenue from all business operations of the covered entity and its affiliates. To determine whether a company meets these requirements, “affiliates” includes only those that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity.

Class A companies are now subject to heightened requirements. First, they must “design and conduct independent audits” of their cybersecurity programs. The proposed regulations released prior to the final regulations required an annual independent audit, so the final version marks a move to a more risk-based approach for both the scope and frequency of audits. However, the NY DFS Assessment of Comments released with the final amendments noted that many Class A companies typically conduct more than one audit a year, suggesting that NY DFS may expect audits to be conducted at least annually or more frequently for at least some entities. Second, Class A companies are required to monitor privileged access activity and implement a privileged access management solution and an automated method of blocking commonly used passwords unless the CISO annually states in writing that such blocking is infeasible and provides alternative compensating controls. Third, Class A companies are required to implement an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting, unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls.

2. Policies & Governance

One of the more striking aspects of the revised regulations is that a company’s “senior governing body” (defined as the board of directors or equivalent, or if an organization does not have a board, the senior officer or officers responsible for the cybersecurity program) must now: (1) have sufficient understanding of cybersecurity related matters (including policies and procedures) to exercise oversight of the entity’s cybersecurity risk management; (2) require the executive management or its designees to develop, implement, and maintain the cybersecurity program; (3) regularly receive and review management reports; and (4) confirm that management has allocated sufficient resources to implement and maintain an effective cybersecurity program. Dropped from the amendments, however, was the requirement for active Board involvement in cybersecurity management, as opposed to oversight.

Additionally, either the senior governing body or the senior officer of a covered entity must now review and approve its cybersecurity policies “at least annually.” Under the proposed revised regulations, review and approval by the senior governing body was required.

As under the original regulations, the CISO must report in writing at least annually on the cybersecurity program to the senior governing body of the covered entity. The report must include information on material “cybersecurity events”¹ and plans for remediating material inadequacies. In addition to reports at least annually, the CISO now must also “timely” report to the senior governing body or senior officer on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program. Guidance provided by NY DFS in its Assessment of Comments noted that where timely reporting is made to the senior officer, the senior officer is still responsible for appropriately escalating material issues to the senior governing body.

3. Notice of Compliance

One of the biggest changes in the regulations is that covered entities may submit either a certification of “material” compliance or a written acknowledgment of non-compliance. The acknowledgement must identify all of the sections of Part 500 that the entity has not materially complied with, describe the nature and extent of such non-compliance, and provide a remediation timeline or confirmation that remediation has been completed. Interestingly, in the assessment of comments NY DFS noted that even if a covered entity has violated Part 500 as newly defined in the final revised regulations, it may still be able to file a certification of material compliance.

Importantly, as part of NY DFS’s drive for greater senior officer accountability, the certification or acknowledgment must be signed by the CISO and the covered entity’s highest-ranking executive. The revised regulations also include newly expanded language requiring covered entities to retain all documentation supporting a certification of compliance or acknowledgement of non-compliance.

4. Multi-Factor Authentication (MFA)

In a significant expansion of a point of emphasis for NY DFS, MFA is now expressly required for any individual accessing any information systems of a covered entity. In NY DFS’s Assessment of Comments for the final regulations, it noted that this includes customer access to a covered entity’s online portal through its public facing website, although it does not include access to the website itself. If the company has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls. Those controls must be reviewed periodically, but at a minimum annually. The covered entity must satisfy these requirements unless it qualifies for a limited exemption based on the number of employees and either the covered entity’s gross annual revenue or year-end total assets. The limited exemption is not new to the regulations, but NY DFS raised the limited exemption’s number of employee maximum (from 10 to 20), the maximum gross annual revenue (from $5,000,000 to $7,500,000), and total asset figures (from $10,000,000 to $15,000,000). Even those entities which fall within the limited exemption must use MFA for remote access to the covered entity’s information system, remote access to third-party applications from which nonpublic information is accessible, and all privileged accounts other than service accounts that prohibit interactive login.

5. Notification of Cybersecurity Incident

The amendments expand the scope of notifiable incidents within 72 hours to cover events at third-parties, while specifying ransomware as a notifiable event. A cybersecurity incident is defined as a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that: (1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body; (2) has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity; or (3) results in the deployment of ransomware within a material part of the covered entity’s information systems. Along with the initial notification, covered entities have a continuing obligation to update the superintendent with material changes or new information previously unavailable.

Covered entities are also required to submit a notice if it makes an extortion payment in connection with a cybersecurity event. The notice must be submitted within 24 hours of payment. Within 30 days, the covered entity must submit a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control. Note that such extortion payments are not necessarily limited to ransomware events, as long as the payment is still “in connection with” a cybersecurity event.

6. Enforcement

The amendments also modify the definition of a “violation” for the purpose of enforcement. The amendments provide that the “commission of a single act prohibited by this Part or the failure to satisfy an obligation required by this Part shall constitute a violation hereof,” including “the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to non-compliance with any section of this Part” or “the material failure to comply for any 24-hour period with any section of this Part.”

It is notable that the occurrence of a data breach, even one resulting from “non-compliance,” is specifically included as a factor in whether a covered entity has violated Part 500. This suggests a “hindsight is 20/20” approach to enforcement following a data breach, requiring covered entities to try and defend the appropriateness of their actions before the breach happened within the biased context of data breach response and remediation.

The amendments list the factors to be taken into account in assessing a penalty, including, among other things, the entity’s cooperation, its good faith, whether the violation was a result of the failure to remedy previous examination matters or failing to adhere to any disciplinary letter, history of prior violations, the extent to which the senior governing body participated, the penalty or sanction imposed by any other agency, and the financial resources of the company.

7. Vulnerability Management

The amendments alter vulnerability management requirements for covered entities. Covered entities are explicitly required to, in accordance with the risk assessment, implement written policies and procedures for vulnerability management. The policies and procedures must, at a minimum, provide for penetration testing at least annually from both inside and outside the information systems’ boundaries by a qualified internal or external property. The policies and procedures must also require automated scans of information systems and a manual review of systems not covered by the scans at a frequency determined by the risk assessment and promptly after any material system changes. Prior to the amendments, covered entities were only required to perform bi-annual vulnerability assessments. In addition, the policies and procedures must be designed to ensure that entities are promptly informed of new security vulnerabilities and timely remediate those vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the entity.

8. Access Privileges & Management

The amendments impose new requirements on access privileges. Covered entities are required to limit user access privilege to only those information systems necessary to perform the user’s job, to limit the number of privileged accounts and use of those accounts, to periodically review (at least annually) all user access privileges and remove or disable accounts which are no longer necessary, to disable or securely configure protocols that permit remote control of devices, and to promptly terminate access following departures. Covered entities are also required to implement a written password policy that meets industry standards if passwords are employed as a method of authentication.

9. Application security

Covered entities are now required to review “at least annually” (as opposed to “periodically”) its procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications used by the entity and procedures for evaluating, assessing, or testing the security of externally developed applications used by the covered entity.

10. Risk Assessments

Covered entities are now expressly required to review and update the covered entity’s risk assessment at a minimum annually— as opposed to “as reasonably necessary”— and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.

11. Asset Management

Covered entities are now required to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of the covered entity’s information systems. The amendments require that the policies and procedures include: (1) a method to track key information for each asset; and (2) the frequency required to update and validate the asset inventory.

12. Monitoring and Training

As part of its cybersecurity program, covered entities are required to implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and email to block malicious content. Covered entities are also required to provide periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering for all personnel.

13. Encryption

Covered entities are now required to have a written policy requiring encryption that meets industry standards, though similar to the requirements for MFA, the CISO may approve alternative compensating controls for data at rest in writing at least annually. Compensating controls are no longer an option for data in transit.

14. Incident response and business continuity management

The amendments expand the scope of the existing requirement to have an incident response plan and add the requirement to have a business continuity and disaster recovery plan with respect to cybersecurity events. The incident response plan must also encompass recovery from backups and preparation of a root cause analysis that describes how and why the event occurred, its business impact, and what will be done to prevent reoccurrence. In addition, covered entities are required to have a business continuity and disaster recovery plan for cybersecurity events that is designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets, and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities. The amendments contain a detailed list of requirements for the business continuity and disaster recovered plans.

15. Transition Periods

Some of the amendments will be enforced immediately and others have up to a two year transition period. The new definition of a “violation” is effective immediately, meaning that enforcement actions can now take advantage of the expanded definition under the statute. The requirement for notices to the superintendent is effective December 1, 2023, making the next certification or acknowledgment due by April 15, 2024. Other more technical amendments have longer transitional periods. Covered entities have until November 1, 2024 to meet the new encryption, incident response, and business continuity management requirements and November 1, 2025 to comply with the expanded MFA requirements and to create an asset protection list. Many of the other amendments, including many of those related to governance by the board, are effective April 29, 2024.

____________

[View source.]